fix: user permission on reports (#52709)

erpnext/accounts/doctype/financial_report_template/financial_report_engine.py

@@ -15,7 +15,7 @@ from frappe.database.operator_map import OPERATOR_MAP
 from frappe.query_builder import Case
 from frappe.query_builder.functions import Sum
 from frappe.utils import cstr, date_diff, flt, getdate
-from pypika.terms import LiteralValue
+from pypika.terms import Bracket, LiteralValue
 
 from erpnext import get_company_currency
 from erpnext.accounts.doctype.accounting_dimension.accounting_dimension import (
@@ -732,7 +732,7 @@ class FinancialQueryBuilder:
 		user_conditions = build_match_conditions(doctype)
 
 		if user_conditions:
-			query = query.where(LiteralValue(user_conditions))
+			query = query.where(Bracket(LiteralValue(user_conditions)))
 
 		return query.run(as_dict=True)
 

erpnext/accounts/report/customer_ledger_summary/customer_ledger_summary.py

@@ -8,7 +8,7 @@ from frappe.query_builder import Criterion, Tuple
 from frappe.query_builder.functions import IfNull
 from frappe.utils import getdate, nowdate
 from frappe.utils.nestedset import get_descendants_of
-from pypika.terms import LiteralValue
+from pypika.terms import Bracket, LiteralValue
 
 from erpnext.accounts.doctype.accounting_dimension.accounting_dimension import (
 	get_accounting_dimensions,
@@ -84,10 +84,8 @@ class PartyLedgerSummaryReport:
 
 		from frappe.desk.reportview import build_match_conditions
 
-		match_conditions = build_match_conditions(party_type)
-
-		if match_conditions:
-			query = query.where(LiteralValue(match_conditions))
+		if match_conditions := build_match_conditions(party_type):
+			query = query.where(Bracket(LiteralValue(match_conditions)))
 
 		party_details = query.run(as_dict=True)
 

erpnext/accounts/report/financial_statements.py

@@ -11,7 +11,7 @@ import frappe
 from frappe import _
 from frappe.query_builder.functions import Max, Min, Sum
 from frappe.utils import add_days, add_months, cint, cstr, flt, formatdate, get_first_day, getdate
-from pypika.terms import ExistsCriterion
+from pypika.terms import Bracket, ExistsCriterion, LiteralValue
 
 from erpnext.accounts.doctype.accounting_dimension.accounting_dimension import (
 	get_accounting_dimensions,
@@ -564,18 +564,15 @@ def get_accounting_entries(
 		account_filter_query = get_account_filter_query(root_lft, root_rgt, root_type, gl_entry)
 		query = query.where(ExistsCriterion(account_filter_query))
 
+	if group_by_account:
+		query = query.groupby("account")
+
 	from frappe.desk.reportview import build_match_conditions
 
-	query, params = query.walk()
-	match_conditions = build_match_conditions(doctype)
+	if match_conditions := build_match_conditions(doctype):
+		query = query.where(Bracket(LiteralValue(match_conditions)))
 
-	if match_conditions:
-		query += "and" + match_conditions
-
-	if group_by_account:
-		query += " GROUP BY `account`"
-
-	return frappe.db.sql(query, params, as_dict=True)
+	return query.run(as_dict=True)
 
 
 def get_account_filter_query(root_lft, root_rgt, root_type, gl_entry):

erpnext/accounts/report/general_ledger/general_ledger.py

@@ -324,10 +324,8 @@ def get_conditions(filters):
 
 	from frappe.desk.reportview import build_match_conditions
 
-	match_conditions = build_match_conditions("GL Entry")
-
-	if match_conditions:
-		conditions.append(match_conditions)
+	if match_conditions := build_match_conditions("GL Entry"):
+		conditions.append(f"({match_conditions})")
 
 	accounting_dimensions = get_accounting_dimensions(as_list=False)
 

erpnext/accounts/report/item_wise_purchase_register/item_wise_purchase_register.py

@@ -5,6 +5,7 @@
 import frappe
 from frappe import _
 from frappe.utils import flt
+from pypika.terms import Bracket, LiteralValue
 
 import erpnext
 from erpnext.accounts.report.item_wise_sales_register.item_wise_sales_register import (
@@ -361,15 +362,12 @@ def get_items(filters, additional_table_columns):
 
 	from frappe.desk.reportview import build_match_conditions
 
-	query, params = query.walk()
-	match_conditions = build_match_conditions(doctype)
-
-	if match_conditions:
-		query += " and " + match_conditions
+	if match_conditions := build_match_conditions(doctype):
+		query = query.where(Bracket(LiteralValue(match_conditions)))
 
 	query = apply_order_by_conditions(doctype, query, filters)
 
-	return frappe.db.sql(query, params, as_dict=True)
+	return query.run(as_dict=True)
 
 
 def get_aii_accounts():

erpnext/accounts/report/item_wise_sales_register/item_wise_sales_register.py

@@ -8,6 +8,7 @@ from frappe.query_builder import functions as fn
 from frappe.utils import flt
 from frappe.utils.nestedset import get_descendants_of
 from frappe.utils.xlsxutils import handle_html
+from pypika.terms import Bracket, LiteralValue, Order
 
 from erpnext.accounts.report.sales_register.sales_register import get_mode_of_payments
 from erpnext.accounts.report.utils import get_values_for_columns
@@ -390,20 +391,21 @@ def apply_conditions(query, si, sii, sip, filters, additional_conditions=None):
 
 
 def apply_order_by_conditions(doctype, query, filters):
-	invoice = f"`tab{doctype}`"
-	invoice_item = f"`tab{doctype} Item`"
+	invoice = frappe.qb.DocType(doctype)
+	invoice_item = frappe.qb.DocType(f"{doctype} Item")
 
 	if not filters.get("group_by"):
-		query += f" order by {invoice}.posting_date desc, {invoice_item}.item_group desc"
+		query = query.orderby(invoice.posting_date, order=Order.desc)
+		query = query.orderby(invoice_item.item_group, order=Order.desc)
 	elif filters.get("group_by") == "Invoice":
-		query += f" order by {invoice_item}.parent desc"
+		query = query.orderby(invoice_item.parent, order=Order.desc)
 	elif filters.get("group_by") == "Item":
-		query += f" order by {invoice_item}.item_code"
+		query = query.orderby(invoice_item.item_code)
 	elif filters.get("group_by") == "Item Group":
-		query += f" order by {invoice_item}.item_group"
+		query = query.orderby(invoice_item.item_group)
 	elif filters.get("group_by") in ("Customer", "Customer Group", "Territory", "Supplier"):
 		filter_field = frappe.scrub(filters.get("group_by"))
-		query += f" order by {filter_field} desc"
+		query = query.orderby(filter_field, order=Order.desc)
 
 	return query
 
@@ -481,15 +483,12 @@ def get_items(filters, additional_query_columns, additional_conditions=None):
 
 	from frappe.desk.reportview import build_match_conditions
 
-	query, params = query.walk()
-	match_conditions = build_match_conditions(doctype)
-
-	if match_conditions:
-		query += " and " + match_conditions
+	if match_conditions := build_match_conditions(doctype):
+		query = query.where(Bracket(LiteralValue(match_conditions)))
 
 	query = apply_order_by_conditions(doctype, query, filters)
 
-	return frappe.db.sql(query, params, as_dict=True)
+	return query.run(as_dict=True)
 
 
 def get_delivery_notes_against_sales_order(item_list):

erpnext/accounts/report/purchase_register/purchase_register.py

@@ -6,6 +6,7 @@ import frappe
 from frappe import _, msgprint
 from frappe.query_builder.custom import ConstantColumn
 from frappe.utils import flt, getdate
+from pypika.terms import Bracket, LiteralValue, Order
 
 from erpnext.accounts.party import get_party_account
 from erpnext.accounts.report.utils import (
@@ -421,15 +422,13 @@ def get_invoices(filters, additional_query_columns):
 
 	from frappe.desk.reportview import build_match_conditions
 
-	query, params = query.walk()
-	match_conditions = build_match_conditions("Purchase Invoice")
+	if match_conditions := build_match_conditions("Purchase Invoice"):
+		query = query.where(Bracket(LiteralValue(match_conditions)))
 
-	if match_conditions:
-		query += " and " + match_conditions
+	query = query.orderby("posting_date", order=Order.desc)
+	query = query.orderby("name", order=Order.desc)
 
-	query += " order by posting_date desc, name desc"
-
-	return frappe.db.sql(query, params, as_dict=True)
+	return query.run(as_dict=True)
 
 
 def get_conditions(filters, query, doctype):

erpnext/accounts/report/sales_register/sales_register.py

@@ -7,6 +7,7 @@ from frappe import _, msgprint
 from frappe.model.meta import get_field_precision
 from frappe.query_builder.custom import ConstantColumn
 from frappe.utils import flt, getdate
+from pypika.terms import Bracket, LiteralValue, Order
 
 from erpnext.accounts.party import get_party_account
 from erpnext.accounts.report.utils import (
@@ -457,15 +458,13 @@ def get_invoices(filters, additional_query_columns):
 
 	from frappe.desk.reportview import build_match_conditions
 
-	query, params = query.walk()
-	match_conditions = build_match_conditions("Sales Invoice")
+	if match_conditions := build_match_conditions("Sales Invoice"):
+		query = query.where(Bracket(LiteralValue(match_conditions)))
 
-	if match_conditions:
-		query += " and " + match_conditions
+	query = query.orderby("posting_date", order=Order.desc)
+	query = query.orderby("name", order=Order.desc)
 
-	query += " order by posting_date desc, name desc"
-
-	return frappe.db.sql(query, params, as_dict=True)
+	return query.run(as_dict=True)
 
 
 def get_conditions(filters, query, doctype):

erpnext/projects/report/daily_timesheet_summary/daily_timesheet_summary.py

@@ -60,6 +60,6 @@ def get_conditions(filters):
 
 	match_conditions = build_match_conditions("Timesheet")
 	if match_conditions:
-		conditions += " and %s" % match_conditions
+		conditions += " and (%s)" % match_conditions
 
 	return conditions

erpnext/projects/utils.py

@@ -15,7 +15,7 @@ def query_task(doctype, txt, searchfield, start, page_len, filters):
 	search_string = "%%%s%%" % txt
 	order_by_string = "%s%%" % txt
 	match_conditions = build_match_conditions("Task")
-	match_conditions = ("and" + match_conditions) if match_conditions else ""
+	match_conditions = (f"and ({match_conditions})") if match_conditions else ""
 
 	return frappe.db.sql(
 		"""select name, subject from `tabTask`